TLS/SSL Certificates
This document provides the steps required to configure the TLS/SSL Certificates Inspector.
Quick Details
Recommended Agent: On-Demand
Supported Agents: On-Demand
Is Auto-Discovered By: Internet Domain/DNS Inspector
Can Auto-Discover: N/A
Parent/Child Type Inspector: No
Inspection via: CLI
Data Summary: Here
Overview
See it in Action
Rate/Request Limits
This Inspector will issue dozens of requests in order to determine protocols and algorithms supported by the certificate.
If you wish to limit the connections/request please use the Bypass TLS Algorithm Checks feature in the Inspector template.
TLS/SSL Certificate Inspector
Not all associated domains will have a TLS/SSL inspection, although it is strongly recommended. You can confirm whether or not TLS/SSL exists for a site by simply setting up the Internet Domain/DNS Inspector first and reviewing the Overview tab.
If it says "true," then it is strongly recommended that this Inspector be set up; however, if it says "false," then this Inspector is unnecessary.
Inspector Setup Preparation
TLS/SSL Certificate Inspectors are Auto-Discovered by the Internet Domain/DNS Inspector. If you have rolled out an Inspector for the associated Internet Domain to this TLS/SSL Certificate, then follow the Auto-Discovery Liongard Inspector Setup process.
If you have not rolled out an Inspector for the associated Internet Domain to this TLS/SSL Certificate, then follow our Internet Domain/DNS documentation to roll out that Inspector, and then follow the Auto-Discovery Liongard Inspector Setup process.
If you do not plan to roll out an Inspector for the associated Internet Domain to the TLS/SSL Certificate, or there isn't an associated Internet Domain, then follow our Single Setup Liongard Inspector Setup process.
Liongard Inspector Setup
Activating Auto-Discovered Inspectors
If you have activated your Internet Domain/DNS Inspector(s), it will auto-discover your TLS/SSL Certificate Inspectors. Follow the steps below:
Navigate to Admin > Inspectors > Inspector Types > Select TLS/SSL Certificate > Select the Discovered Systems tab
Here you can Activate your Discovered TLS/SSL Certificate Inspector(s):
- Select the checkbox to the left of the Inspector(s) that you would like to Activate
- Select the Actions drop down menu above the Discovered Systems table
- Select Activate Launchpoints
Missing Discovered Inspectors
Inspectors are Auto-Discovered after other Inspectors finish running. If you don't see an Auto-Discovered TLS/SSL Certificate Inspector as expected, then check that your associated Internet Domain/DNS Inspector has completed running.
Single Liongard Inspector Setup
In Liongard, navigate to Admin > Inspectors > Navigate to the TLS/SSL Certificate Inspector > select Add System.
Fill in the following information:
- Environment: Select the Environment this System should be associated to
- Friendly Name: Suggested "[Domain Name without any preceding characters] TLS/SSL". For example, "anydomain.com TLS/SSL".
- Agent: On-Demand Agent
- Inspector Version: Latest
- Domain: Provide the actual domain name without any prefixes like https:// or www (e.g. anydomain.com)
Custom Ports
By default, the TLS/SSL Inspector will target port 443. If you'd like to target a different port, you may include it after the domain in the form: 'host:port' (e.g. anydomain.com:123)
- Bypass TLS Algorithm Checks: If you would like to avoid a large number of requests from hitting your website, turn this feature on. It will bypass checks on algorithms and protocols the certificate can accept.
Retries and Timeout
The fields "Number of Retries" and "Timeout" that contain default (recommended) settings. It's only necessary to adjust these settings if an inspection failure occurs.
Though very rare, some under-performing sites may require additional adjustments for the inspection to properly complete.
- Number of Retries: Default settings are recommended
- Timeout (Secs):Default settings are recommended
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
Select Save. The Inspector will now be triggered to run within the minute.
Optional: Turn on Flexible Asset/Configuration Auto-Updating
If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:
- ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
- IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled
TLS/SSL Certificates Quick Tips/FAQs
Updated about 1 year ago